Specification 

Title of the Invention 

A Cryptosystem Using Multi variable Polynomials 

Field of the Invention 

The present invention relates to a new cryptosystem and cryptographic 
communication that use the difficulty in solving multivariable polynomials. 

; Sri or Art 

ry Cryptosystems using polynomials in multivariables have been proposed, for 

instance, by Matsumoto et al in "Public Quadratic Polynomial • tuples for Efficient 
iSignature Verification and Message-encryption", Prop. Of EUROCRYPT 88, 
iSpringer Verlag, Vol. 20, and p.p.419-453. In those cryptosystems, elements in 
iSalois fields are expressed in polynomial forms, and the messages, or the plaintext, 
'are encrypted into coefficients of the polynomials. When each element of a message 
is considered a variable or an indeterminate, the message is considered 
multivariables, and respective degree's coefficients of a polinomial give new 
polynomials in multivariables. However, the security of such cryptosystems has not 
been clear. The present inventor has been aiming at enhancing the security of 
multivariable polynomial cryptosystems, and the resultant is the present invention. 

Summary of the Invention 

The object of the invention is to provide a novel and strong cryptosystem 
that uses multivariable polynomials and to provide a decryption method and a 
decryptor for decrypting enciphered text according to the cryptosystem. 
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Further object of the invention is to provide recording medium and 
propagated signal storing the decryption program. 

In the present cryptosystem, we use multivariable polinomials in finite 
extensions of a prime field. We use for instance the following three elements: 

1 ) Multiplying messages by polinomials and encrypting respective elements in 
the message into coefficients of the resultant new polinomials; 

2) Adding noise to the messages and then applying an element in the 
symmetric group for scrambling the noise and the messages; and 

) Multiplying the messages by elements in the finite extension fields, 

pjl Practically enough security of the resultant cyphertext is obtained, if the 

I'ibove addition of noise to the messages and the subsequent permutation by the 
i;glement in the symmetric group, and the above multiplication by the elements in the 
jfinite extension fields such that in respective degrees of the resultant polinomial in 
iUie extension fields, the messages and the noise are encrypted in a complex manner. 
^i3For practical encryption, the encryption algorithm may be kept secret to persons 
encrypting their messages, and they can encrypt their messages simply by 
substituting their messages for indeterminates of polinomials. Thus we can consider 
the cyphertext polinomials of messages, and the cyphertext is highly secure. For 
instance, when we multiply our messages by polinomials in finite extension fields 
and express the products in polinomial forms in the extension fields, the coefficients 
of the product polinomials are given by new polinomials depending upon both the 
messages and the noise in a complex manner. However, the security for the 
cryptosystems using only the multiplication of the messages and the polinomials has 
not been confirmed. 

When we add to the above multivariable polinomial cryptosystem, the 
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combination with the noise and the subsequent scrambling, the security is remarkably 
enhanced. Further, when we add the multiplication by the elements in the extension 
fields after the scrambling between the messages and the noise, the security is ftirther 
enhanced. Thus our improved cryptosystem is derived. According to the present 
cryptosystem, the characteristic features of the system do not appear during the 
encryption procedure. The features appear through decryption procedure, and 
procedures corresponding to the encryption algorithm become necessary during the 
decryption. Therefore, the decryption method and decryption device will be 
necessary for the practical use of the cryptosystem. 

3 According to the invention, messages are considered elements in finite 

j^/^xtension fields of prime fields. Hereinafter, finite extension fields are sometimes 
Lxalled extension fields, fields, etc. The cyphertext, obtained by substituting the 
iignessages for indeterminates of polinomials or by the evaluation of the polinomials at 
l==the messages, is multiplied by a first secret key ( an element in the finite extension 
riields), and permutation by a second secret key in the elements of the cyphertext is 
iijerformed such that the message (plaintext) corresponding parts and the noise will 
be separated. For breaking the present cryptosystem, both the first and second secret 
keys are necessary, and their candidates are very many. Further, for performing the 
multiplication by the first secret key, it is necessary to know the irreducible 
polinomials that have generated the finite extensions. Therefore, the present 
cryptosystem is highly secure. 

Preferably, the first secret key is selected from powers of primitive roots of 
primitive polinomials in the finite extensions so that wide variety is possible for the 
first secret key with changes in the indices of the powers for the higher security. 
Further, multiplication by the powers of the primitive roots is easily done, and the 
decryption becomes easier. 
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Preferably, the message corresponding parts separated by the second secret 
key is further multipHed by a third secret key comprising a secret polinomial. Thus, 
for the decryption, multiplication by the first secret key, the permutation by the 
second secret key, and the multiplication by the third secret key are necessary, and if 
the third secret key would be stolen, irreducible polinomials used for the generation 
of the finite extension before adding the noise is necessary for the multiplication by 
the third secret key. Therefore, the security of the present system is very high. 

Most preferably, after the multiplication by the third secret key, the power 
root of the product is calculated by a fourth secret key in such a way that the product 
^^gs raised to an adequate degree's power. Thus, for the decryption, the multiplication 
;jf)y the first secret key, the permutation by the second secret key, the multiplication 
|;By the third secret key of a polinomial, and the power root operation by the fourth 
ijecret key are necessary. Without the fourth secret key, the cyphertext can be 
^decrypted just into complex polinomials of respective elements in the messages, so 
;the security of the present cryptosystem is further enhanced, 

r;3 According to the present cryptosystem, the decryption program may for 

instance be distributed through information networks, as CD-ROMs and IC cards. 

Brief Description of the Drawing 

Fig. 1 is a block diagram showing an encryptor and a decryptor, and their 
interconnection according to the embodiment of the invention. 

Fig. 2 is a flowchart showing an encryption algorithm in the embodiment. 

Fig. 3 is a flowchart showing a practical process for the encryption in the 
embodiment. 

Fig. 4 is a flowchart showing a decryption algorithm in the embodiment. 
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Fig. 5 shows an example of the distribution of the decryption program 
through an information network in the embodiment. 

Fig. 6 is a block diagram showing an encryption and decryption device 
according to the embodiment. 

The Best Embodiment 

Figs. 1-6 show the best embodiment. First, major terms in the 
embodiment are described. GF(2^) and GF(2") show Galois fields, respectfully. 
The prime subfields contained in the Galois fields have characteristic of a prime 
Jumber or 0, and when the characteristic is 0, the prime field is the field Q of 
p|ationale numbers. While the characteristic of the prime fields may be a prime 
ujoumber or 0, we prefer 2 for easier computation in digital information processing 
rievices. The Galois fields GF(2'') and GF(2") are examples of the finite 
lextensions of the prime field of characteristic 2. The value of k is, for instance, 
i Mmong 64 and 16384, and we assume k 1024 in the embodiment. The value of n is 
^5§reater than that of k, for instance, about 2k, preferably 128 to 32768, and we 
assume n 2048 in the embodiment. 

F(x) is a primitive polynomial in the Galois field GF(2^) and has 
degree k. Similarly, H(x) is a primitive polynomial in the Galois field GF(2^) 
and has degree n. For making the decryption easier, we select both F(X) and H 
(X) from primitive polynomials in the respective extension fields. However, F(X) 
may be an irreducible polynomial in the Galois field GF(2^). Similarly, H(X) 
may be an irreducible polynomial in the Galois field GF(2"). a is one of the roots 
of the polynomial F(X), and so F( a ) =0. 7 is a primitive root of H(x), and so 
H( 7 )=0. X is a natural number, and 7 ^ is an non-zero element of the Galois 
field GF(2"). 

- 5 - 




M means a message and is 1024 bit data in the embodiment. We consider 
M a vector comprising 1024 elements (ml - mk), where k is for instance 1024, and 
consider also M an element of the Galois field GF(2*^). In this specification, the set 
N of natural numbers comprises positive integers and 0. For the encryption, we use 
t pieces of polynomials, 0 l{a), /?2(a), /?t(a), all of which are 

elements in the Galois field GF(2^), and transform the message M into cyphertext at 
the first stage M( a ) by the following equation ( 1 ). 

M(a) =M /? 1( a )-M /? 2( a )••• M /? t( a ) mod F( a ) (l) 
We call the resultant M( a ) the message corresponding part and denote the product 
■^5)f j8 l{a)"'j8 t(a) simply by j8 . The operation by the equation (l) is 
.performed in the Galois field GF(2^), and since it is obvious that modular 
l^pperations are performed, when obvious in context, we will sometimes omit the 
riotification for modular operations. 

1- A noise r( a ) of degree (n - k) is randomly produced and combined, 

rior instance, at the end of the message corresponding part M( ). The degree of 
Jftie noise r( a ) is for instance 1024, and obviously the noise r{ a) is for instance 
1024 bit long. An element in the symmetric group (the permutation group) is 
applied to the message corresponding part and the noise, and the elements of them 
are completely scrambled. We call the resultant F which has order n and is an 
element in the Galois field GF(2"). We denote the above mapping from M( a ) to 
r by $ '^nk and denote the inverse mapping of O 'nk by O nk that will be used 
during the decryption. We call the transformation between M( a ) and F 
substitution without referring to encryption or decryption, since whether it means 
encryption or decryption will be obvious in context. 

We multiply F by 7 ^ and get a resultant polinomial C. The respective 
coefficients of the polynomial C is by themselves polynomials depending upon both 
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the noise and the message corresponding part in a complex manner. We sometimes 
write the polynomial C as a set of coefficients Ci of respective degrees of C so that 
C={Ci(M) }. C is the final cyphertext. For emphasizing that C is a function of the 
message M, we will sometimes write the cyphertext text C as C( M). 

The above encryption algorithm may be performed more simply without 
reference to the encryption algorithm. Since C(X)={Ci(X)} is disclosed as the 
public key, a sender substitutes M for X in the public key and thus gets the 
cyphertext Ci(M)(i=l - n). Each element of the cyphertext Ci(M) is a polynomial 
in the elements (ml - mk) in the message M. 
^3 The secret keys are F(X), H(X), x (or J O nk, ^ , and t which is a 

= positive integer. (3 is represented by the following equation (2), 

2 (3^(3 \{a) * (3 2{a) (3 \{a) (2) 

p We select 7 from the primitive roots of H(X), so any non-zero elements 

hin the Galois field GF(2") can be represented as 7 '^, and therefore the 
Ittiultiplication by 7 is easily performed. Let f be a natural number (index) such 
ifliat =M. If t and 2^-1 are mutually prime, there exists such a natural number 
f. Therefore, gcd(t, 2^ - l), the greatest common divisor between t and 2^ - 1, is 
preferably 1. 

In the following, networks mean information networks, and digital 
information processing devices mean computers and cryptographic communication 
chips having logic circuits therein. Recording media mean those retrievable by 
computers and decryption chips, and the propagating signals mean those running 
through networks, etc. 

Fig. 1 shows an encryptor 4, a decryptor 6, and the interconnection 
between them through a network such as the Internet. The encryptor 4 receives the 
public key C(X) from a public key memory 8 provided in the decryptor 6 and 
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encrypts the message M produced by a plaintext generator 2 provided in the 
encryptor by the public key. The message M is an element in the Galois field GF 
(2^), composed of (ml,m2,---,mk), and is k bit long. For the encryption of the 
message M into the cyphertext C(M) with the public key C(X), the message M is 
substituted for X in each element Ci(X)(i=l - n) in the public key C(X) of 
degree n. The resultant cyphertext C(M) is an element in the Galois field GF(2"). 

In the decryptor 6, a secret key memory 10 is provided for storing the 
primitive polynomial F(X) in the Galois field GF(2^)5 the primitive polynomial H 
(X) in the Galois field GF(2"), the value of the primitive root y in the Galois 
!jield GF(2"), if plural primitive roots are present, the Value x in 7 ^, the 
;:|)ermutation O nk in the symmetric group for separating the message corresponding 
;:3part and the noise, the polynomial (B used for the multiplication by the equation 
1 ) , and t, the index of the power of M, etc. 

Multiplication means 12 multiplies the cyphertext C(M) by y in the 
igJalois field GF(2"), and C(M) is transformed into F C(M)r ". Substitution 
il&ieans 14 applies O nk in the symmetric group to V so that the message 
corresponding part M( o: ) and the noise are separated from Y . Second 
multiplication means 16 multiplies the message corresponding part M( a ) by the 
inverse (^'^ of the polynomial [3 such that =M( Oi )/5 ^ Then, is further 
raised to the f-th power, and since M^^ =M, the plaintext is obtained. When t and 2^ 
- 1 are mutually prime, the above f, a positive integer, is present. 

Fig. 2 shows a practical encryption algorithm. The message M, for 
instance 1024 bit long and may already include some noise in it, is deemed as an 
element in the Galois field GF(2*^), and processed by the equation (l) so that the 
message corresponding part M( a ) is resultant. 

M( a )=M yff 1( a ) • M yff 2( a ) My5t(a) mod F( a ) (l) 
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The message corresponding part M( a ) is a polynomial of degree at most k - 1, 
and in each coefficient of the polinomial, the elements ml — mk in the message M 
are scrambled in a complex manner. The coefficients of the polinomial are 
respectively deemed as polynomials of degree t in variables ml - mk. When the 
message corresponding part M{ CX ) is used as the final ciphertext, the security has 
not been confirmed. Therefore we enhance the security as follows. 

The message corresponding part M( a ) is scrambled with the noise r 
{ (x) of degree n - k. For instance, first the noise r{ (x) is adjoined at the end of 
the message corresponding part M{cx), and then the element O'^nk in the 
^^ymmetric group is applied to them. Thus they are transformed into the element F 

in the Galois field GF( 2"). 
j;'^ Next, r is multiplied by y ^, and the elements in the message 

ijyorresponding part M( a ) and the elements in the noise t{ Cx) are combined in a 
i.eomplex manner in each coefficient of the polynomial C in the Galois field GF( 2^^). 
ruHere 7 is a primitive root of the primitive polynomial H(X), and hence any 
Cllements not 0 in the Galois field GF(2") may be expressed as y ^ for some x. 
The resultant cyphertext C is very secure. 

In the embodiment, three steps have been performed in the following 
order: First the operation by the equation (l), then the addition of the noise r{ CX) 
and the permutation (scramble), and finally the multiplication by y ^. However, 
they may be performed in a different order. For instance, first the scramble between 
the message M and the noise r may be done, and then, the multiplication by the 
polynomial and the other multiplication by the power of the primitive root may be 
done. Alternatively, first the multiplication by the power of the primitive root may 
be done, then the scramble with the noise r may be done, and finally the 
multiplication by the polynomial may be done. Moreover, since the present 

- 9 - 



cryptosystem is very secure, the addition of and permutation with the noise and just 
one of the group comprising the first multiplication by the polynomial and the 
second multiplication by the power of the primitive roots may be performed. 

While Fig. 2 shows the encryption algorithm in detail, practically the 
sender does not need to know the encryption algorithm. In the practical encryption, 
as shown in Fig. 3, the public key C(X) comprising elements Ci(X)(i=l - n) is 
disclosed, where the indeterminate X has the same data length to the message M. 
When a sender substitutes the message M for the indeterminate X, then the 
cyphertext C(M) is obtained. Therefore, the encryption is very easily performed, 
r§nd the public key C(X) is a strong one-way function. 

J Fig. 4 shows the decryption algorithm. The cyphertext C(m) received 

v&y the decryptor 6 is multiplied by y '^^ and thus T is obtained. Since y is an 
^'Slement in the Galois field GF(2^), the multiplication is easily performed. Next, 
mapping O nk, which is the inverse of O '^nk already used for the addition of the 
Jfloise and the subsequent scrambling, is applied to F so that F is transformed into 
*fte message corresponding part M{ a) and the noise t{ (x) separately. The noise 
Ts discarded. During this step, the orders of the Galois fields decrease from 2n to 
2k. Next, the message corresponding part M{ a) is multiplied by the inverse j3 
of the product j8 of the t-pieces polynomials j8 l{a) ~ j8 t{ a ) in the equation 
(l), and hence M( a ) is transformed into Mt. If t and 2^-1 are mutually prime, 
there exists some natural number f such that M^=M. As a result, the message M is 
decrypted. 

Fig. 5 shows the distribution of decryption programs through a network 24. 
A distribution station is denoted by 20, an a recipient station is denoted by 22. The 
recipient station 22 requires to a distribution station 20 to send the decryption 
program, and the distribution station 20 sends the decryption program, the public 
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key, and secret keys as a signal propagating through the network 24 to the recipient 
station 22. The decryption program distributed is one for performing the algorithm 
in Fig. 4. 

Fig. 6 shows an example of encryption and decryption device 30. An I/O 
32 communicates with the outside or is connected to an outside computer and so on. 

A public key memory 34 stores the public key C(x) and discloses the key to the 
public. Multiplication means 36 stores the value of J and multiplies the 
cyphertext by 7 Substitution means 38 stores the element in the symmetric 
group for transforming F into the message corresponding part M( a ), and thus 
i;|ransforms F into M{ a). Second multiplication means 40 stores the polynomial 

and multiplies the message corresponding part M{ a) by the polynomial jS 
•'iuch that Mt is obtained. The resultant is further raised to the f-th power by 
;?aising means 42 and decrypted to the original message M. Encrypting means 44 
['encrypts the message M produced in the encryption and decryption device 30. 
jc^ese means 36 - 44 may easily be realized by a combinaition of the registers and 
j^ttie logic gates and so on, or by means of computer software installed into an 
adequate computer. 

While the embodiment has been described with an example for the public 
key cryptosystem, the cryptosystem according to the invention may be designed as a 
secret key cryptosy stems. In that case, if the secret keys such as the primitive 
polynomials, the value for x, the element O nk in the symmetric group for the 
separation between the message corresponding part and the noise, the polynomial j8 , 
and the value of t, and the length of M are renewed properly, the longevity of the 
cryptosystem is enhanced. While the embodiment has shown the specific example, 
alterations may be performed. For instance, the secret keys themselves do not need 
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# 4m 

to be stored necessarily, and other data equivalent to the secret keys or those can be 
transformed into the secret keys may be stored in place of the secret keys. 




- 12 - 



